Data Verification Using Enclave Attestation

PublishedJuly 25, 2017

Assigneenot available in USPTO data we have

InventorsNed Smith Esteban Gutierrez Andrew Woodruff Aditya Kapoor

Technical Abstract

Patent Claims

18 claims

Legal claims defining the scope of protection, as filed with the USPTO.

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor: receive untrusted data for input to an application at an enclave in an electronic device, wherein the enclave includes a protected region of memory in which the application resides for execution; receive a flag associated with the application; determine whether the flag associated with the application indicates that the application is to be used with integrity verification, wherein the integrity verification module performs data integrity attestation functions to verify the untrusted data for input and wherein the data integrity attestation functions include a data attestation policy specifying constraints on input values for the application; responsive to determining the application is to be used with integrity verification: isolate the untrusted data for input from at least a portion of the enclave; communicate at least a portion of the untrusted data for input to an integrity verification module using an attestation channel; receive data integrity verification of the untrusted data for input from the integrity verification module; and return the verified untrusted data for input to the application for processing.

2. The at least one computer-readable medium of claim 1 , wherein the data integrity attestation functions further include a whitelist.

3. The at least one computer-readable medium of claim 1 , wherein the integrity verification module is located in the electronic device.

4. The at least one computer-readable medium of claim 1 , wherein the integrity verification module is located in the enclave.

5. The at least one computer-readable medium of claim 1 , wherein the integrity verification module is located in a server that is remote from the electronic device.

6. The at least one computer-readable medium of claim 1 , wherein the integrity verification module is located in a cloud that is remote from the electronic device.

7. An apparatus comprising: an integrity verification module configured to: receive untrusted data for input to an application from an enclave in an electronic device, wherein the untrusted data is isolated from at least a portion of the enclave, wherein the enclave includes a protected region of memory in which the application resides for execution, and wherein the untrusted data is communicated using an attestation channel; receive a flag associated with the application; determine whether the flag associated with the application indicates that the application is to be used with integrity verification, wherein the integrity verification module performs data integrity attestation functions to verify the untrusted data for input and wherein the data integrity attestation functions include a data attestation policy specifying constraints on input values for the application; responsive to determining the application is to be used with integrity verification: perform data integrity verification of the untrusted data for input; and return the results of the data integrity verification to the enclave.

8. The apparatus of claim 7 , wherein the data integrity attestation functions further include a whitelist.

9. The apparatus of claim 7 , wherein the integrity verification module is located in the electronic device.

10. The apparatus of claim 7 , wherein the integrity verification module is located in the enclave.

11. The apparatus of claim 7 , wherein the integrity verification module is located in a server that is remote from the electronic device.

12. The apparatus of claim 7 , wherein the integrity verification module is located in a cloud that is remote from the electronic device.

13. A method comprising: receiving untrusted data for input to an application at an enclave in an electronic device, wherein the enclave includes a protected region of memory in which the application resides for execution; receiving a flag associated with the application; determining whether the flag associated with the application indicates that the application is to be used with integrity verification, wherein the integrity verification module performs data integrity attestation functions to verify the untrusted data for input and wherein the data integrity attestation functions include a data attestation policy specifying constraints on input values for the application; responsive to determining the application is to be used with integrity verification: isolating the untrusted data for input from at least a portion of the enclave; communicating at least a portion of the untrusted data for input to an integrity verification module using an attestation channel; receiving data integrity verification of the untrusted data for input from the integrity verification module; and returning the verified untrusted data for input to the application for processing.

14. The method of claim 13 , wherein the data integrity attestation functions further include a whitelist.

15. The method of claim 13 , wherein the integrity verification module is located in the electronic device.

16. The method of claim 13 , wherein the integrity verification module is located in a server that is remote from the electronic device.

17. The method of claim 13 , wherein the integrity verification module is located in a cloud that is remote from the electronic device.

18. A system for data verification using enclave attestation, the system comprising: an integrity verification module configured for: receiving untrusted data for input to an application at an enclave in an electronic device, wherein the enclave includes a protected region of memory in which the application resides for execution; receiving a flag associated with the application; determining whether the flag associated with the application indicates that the application is to be used with integrity verification, wherein the integrity verification module performs data integrity attestation functions to verify the untrusted data for input and wherein the data integrity attestation functions include a data attestation policy specifying constraints on input values for the application; responsive to determining the application is subject to integrity verification: isolating the untrusted data for input from at least a portion of the enclave; communicating at least a portion of the untrusted data for input to an integrity verification module using an attestation channel; receiving data integrity verification of the untrusted data for input from the integrity verification module; and returning the verified untrusted data for input to the application for processing.

Patent Metadata

Filing Date

Unknown

Publication Date

July 25, 2017

Inventors

Ned Smith

Esteban Gutierrez

Andrew Woodruff

Aditya Kapoor

Want to explore more patents?

Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.

Browse All Patents Try Prior Art Search